From 8df0459503625567a76a892a16acc9ff79dc0c6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 25 Apr 2024 22:37:35 +0200 Subject: [PATCH] rootfs: Stop building and shipping OPA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since OPA binary was replaced by the regorus crate, we can finally stop building and shipping the binary. Signed-off-by: Fabiano FidĂȘncio --- src/kata-opa/kata-opa.service.in | 29 --------- .../rootfs-builder/cbl-mariner/config.sh | 1 - tools/osbuilder/rootfs-builder/rootfs.sh | 62 ------------------- versions.yaml | 16 ----- 4 files changed, 108 deletions(-) delete mode 100644 src/kata-opa/kata-opa.service.in diff --git a/src/kata-opa/kata-opa.service.in b/src/kata-opa/kata-opa.service.in deleted file mode 100644 index acb24d941ae9..000000000000 --- a/src/kata-opa/kata-opa.service.in +++ /dev/null @@ -1,29 +0,0 @@ -# -# Copyright (c) 2023 Microsoft Corporation -# -# SPDX-License-Identifier: Apache-2.0 -# - -[Unit] -Description=Open Policy Agent for Kata Containers -Documentation=https://github.com/kata-containers -ConditionPathExists=@SETTINGSDIR@/default-policy.rego - -# kata-agent connects to OPA while starting up. -Before=kata-agent.service - -[Service] -Type=simple -ExecStart=@BINDIR@/opa run --server --disable-telemetry --addr 127.0.0.1:8181 --log-level info -DynamicUser=yes -RuntimeDirectory=kata-opa -LimitNOFILE=1048576 - -# Don't restart because there may be an active policy that would be lost. -Restart=no - -# Send log output to tty to allow capturing debug logs from a VM vsock port. -StandardError=tty - -# Discourage OOM-killer from touching the policy service. -OOMScoreAdjust=-997 diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh b/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh index 8f6b8c59a6d1..dd4ca5242998 100644 --- a/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh +++ b/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh @@ -9,4 +9,3 @@ PACKAGES="kata-packages-uvm" [ "$CONF_GUEST" = yes ] && PACKAGES+=" kata-packages-uvm-coco" [ "$AGENT_INIT" = no ] && PACKAGES+=" systemd" [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp" -[ "$AGENT_POLICY" = yes ] && PACKAGES+=" opa" || true diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index f57b8de9838d..e0765113d667 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -659,30 +659,6 @@ EOF fi if [ "${AGENT_POLICY}" == "yes" ]; then - # Setup systemd-based environment for kata-opa. - local opa_bin_dir="$(get_opa_bin_dir "${ROOTFS_DIR}")" - if [ -z "${opa_bin_dir}" ]; then - # OPA was not installed already, so download it here. - # - # TODO: if an OPA package is not available for the Guest image distro, - # Kata should cache the OPA source code, toolchain information, etc. - # OPA should be built from the cached source code instead of downloading - # this binary. - # - opa_bin_url="$(get_package_version_from_kata_yaml externals.open-policy-agent.meta.binary)" - info "Downloading OPA binary from ${opa_bin_url}" - curl --fail -L "${opa_bin_url}" -o opa || die "Failed to download OPA" - - # Install the OPA binary. - opa_bin_dir="/usr/local/bin" - local opa_bin="${ROOTFS_DIR}${opa_bin_dir}/opa" - info "Installing OPA binary to ${opa_bin}" - install -D -o root -g root -m 0755 opa -T "${opa_bin}" - strip ${ROOTFS_DIR}${opa_bin_dir}/opa - else - info "OPA binary already exists in ${opa_bin_dir}" - fi - # Install default settings for the kata-opa service. local opa_settings_dir="/etc/kata-opa" local policy_file_name="$(basename ${agent_policy_file})" @@ -690,26 +666,6 @@ EOF mkdir -p "${policy_dir}" install -D -o root -g root -m 0644 "${agent_policy_file}" -T "${policy_dir}/${policy_file_name}" ln -sf "${policy_file_name}" "${policy_dir}/default-policy.rego" - - if [ "${AGENT_INIT}" == "yes" ]; then - info "OPA will be started by the kata agent" - else - # Install the unit file for the kata-opa service. - local kata_opa_in_dir="${script_dir}/../../../src/kata-opa" - local kata_opa_unit="kata-opa.service" - local kata_opa_unit_path="${ROOTFS_DIR}/usr/lib/systemd/system/${kata_opa_unit}" - local kata_containers_wants="${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants" - - opa_settings_dir="${opa_settings_dir//\//\\/}" - sed -e "s/@SETTINGSDIR@/${opa_settings_dir}/g" "${kata_opa_in_dir}/${kata_opa_unit}.in" > "${kata_opa_unit}" - - opa_bin_dir="${opa_bin_dir//\//\\/}" - sed -i -e "s/@BINDIR@/${opa_bin_dir}/g" "${kata_opa_unit}" - - install -D -o root -g root -m 0644 "${kata_opa_unit}" -T "${kata_opa_unit_path}" - mkdir -p "${kata_containers_wants}" - ln -sf "${kata_opa_unit_path}" "${kata_containers_wants}/${kata_opa_unit}" - fi fi info "Check init is installed" @@ -729,24 +685,6 @@ EOF create_summary_file "${ROOTFS_DIR}" } -get_opa_bin_dir() -{ - local rootfs_dir="$1" - local -a bin_dirs=( - "/bin" - "/usr/bin" - "/usr/local/bin" - ) - for bin_dir in "${bin_dirs[@]}" - do - local opa_bin="${rootfs_dir}${bin_dir}/opa" - if [ -f "${opa_bin}" ]; then - echo "${bin_dir}" - return 0 - fi - done -} - parse_arguments() { [ "$#" -eq 0 ] && usage && return 0 diff --git a/versions.yaml b/versions.yaml index 5dc0084c9a61..27afc4e2c108 100644 --- a/versions.yaml +++ b/versions.yaml @@ -289,22 +289,6 @@ externals: url: "https://github.com/containerd/nydus-snapshotter" version: "v0.12.0" - open-policy-agent: - description: "Open Policy Agent" - url: "https://github.com/open-policy-agent/opa" - version: "v0.55.0" - meta: - # - If an OPA package is available for the Guest image distro, that - # package is used instead of the binary below. - # - # - TODO: if an OPA package is not available for the Guest image distro, - # Kata should cache the OPA source code, toolchain information, etc. - # OPA should be built from the cached source code instead of downloading - # this binary. - # - # yamllint disable-line rule:line-length - binary: "https://github.com/open-policy-agent/opa/releases/download/v0.55.0/opa_linux_amd64_static" - ovmf: description: "Firmware, implementation of UEFI for virtual machines." url: "https://github.com/tianocore/edk2"